1Password SSH

At work, engineers are strongly encouraged to use an additional factor of authentication for SSH keys, rather than the traditional passwordless approach. While Yubikey’s work well for this type of thing, I found that 1Password’s SSH support is actually much more ergonomic.

The way that 1Password’s SSH integration works is that you specify an IdentityAgent in your SSH file which is what tells Git and other tools how to access your SSH keys stored in 1Password. When you create an SSH key in 1Password, the file it creates on disk is simply a reference to the item in 1Password, so your private key is never stored on disk and can only be accessed through 1Password.

Let’s update our SSH config like so:

Host *
  IdentityAgent "~/Library/Group Containers/2BUA8C4S2C.com.1password/t/agent.sock"

With this setup, we can then point hosts to a file containing our SSH public key. This will be passed to the identity agent (1Password), which will lookup our SSH private key to use for the current SSH operation. All without your private key every touching your file system.

Host github.com
  User git
  IdentityFile ~/.ssh/id_ed25519.pub
  IdentitiesOnly yes